How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to create a p2p tunnel from Palo Alto with static ip to Palo Alto with dhcp (with public ip)

L1 Bithead

Dear all,

 

I am looking for a way to get a site2site tunnel working between a Palo Alto with static public ip and a Palo Alto with a "dynamic" endpoint (public ip through dhcp)

The tunnel shows as status green in the GUI and also on CLI it shows up, but no traffic is passing. I found a how to through the Palo Alto pages, and I am using the User FQDN instead of ip peer address.

Do I need to use a proxy id between the 2 Palo Alto's or can I use static for the tunnel at both ends? Or perhaps both?

 

5 REPLIES 5

L3 Networker

Hello Rob,

 

I might have found the issue, as since the tunnels are basically inside to inside, the previous engineer didn't add a rule to allow zone internal/inside to internal/inside on the dynamic endpoint side/firewall. I will keep you posted.

 

Jeff.

IP connectivity worked between several locations with static public ip and the site with dynamic public ip, however internal websites weren't reachable, whilst the external just worked fine (and outlook). I could reach the laptop from the engineer through RDP, and also the management ip of the Palo Alto was reachable through the GUI. The Palo Alto didn't block any http or https. The Palo Alto has a dhcp pool and 2 dns entries to serve the internal network. The local engineer could also ping the 2 dns ip's.

Although close to a solution, our timewindow ran out, so i had to do a rollback to the PFSense 😞

Will keep u posted on the progress.

Hi @fortigatefan,

This should be a fairly straightforward configuration. It sounds like you were able to reach resources through the remote firewall, but the remote party was unable to access resources through your own firewall correct? 

If that's the case you'll need to verify a couple things. 

1) There is a security policy in place that actually allows the remote users to access your local resources through the tunnel on both your remote firewall and the local firewall. It sounds like you may have allowed the traffic through to the remote end, but you aren't allowing that remote end through the terminating firewall. 

2) Have you tried reaching these internal sites strickly through IP instead of DNS? You may have allowed HTTP/HTTPS through the firewall, but if the remote locations DNS server doesn't know to point these users to your internal webserver then it's just going to send them out to the external website. 

 

Adding a little bit of the configuration from both ends might help a little in further troubleshooting, but that's where I would start looking. 

Hello BPry,

 

We have to postpone the migration 2 weeks, but I might be able to ask if we can install a spare laptop @ location to do some testing next time during the migration.

 

 

  • 4377 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!